[Samba] use spnego question - samba 47 to samba48 migration

Kontrol-Suporte suporte at kontrolsecurity.com.br
Sat Jun 23 21:21:23 UTC 2018


In Time.

Checking the services, folders and permissions, it seems samba48 does not follow exactly the same samba47 model.
When restarting samba47 by using "/usr/local/etc/rc.d/samba_server restart"  I could see all three services being restarted (smbd, nmbd and winbind)
Now restarting samba48 I can see 2 services only (smbd and nmbd); The Winbind seems to be separated. I could not find any entry for winbind service restart under "rc.d/"

It's important to say that, the authentication is working fine with Kerberos/tickets - NTLM is the only failing.

Thanks,
Fabricio.

-----Original Message-----
From: Kontrol-Suporte <suporte at kontrolsecurity.com.br> 
Sent: Saturday, June 23, 2018 5:05 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration

Hello Gentlemen.
OK, Tests were made. I got some errors only when using Samba48 (samba47 is still fine)
IMPORTANT: I forgot to mention... This is being used with SQUID Proxy for SSO authentication.

Got NTLMSSP neg_flags=0xa2088207
Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due to [{Access Denied} A process has requested access to an object but has not been granted those access rights.] GENSEC login failed: NT_STATUS_ACCESS_DENIED

I tried the new settings as suggested and also partial changes. Both are presenting the same behaviour. Nothing was changed in the AD side.
I also re-checked the permissions/ownership on "/var/db/samba4/winbindd_privileged"  folder which is used by SQUID.

To Rowland:  You asked if I really need the "min protocol = LANMAN2" option. Well, the idea was to enforce a minimum security level.

Any help will be very appreciated.

Regards
Fabricio.


-----Original Message-----
From: Kontrol-Suporte <suporte at kontrolsecurity.com.br>
Sent: Saturday, June 23, 2018 3:42 PM
To: 'samba at lists.samba.org' <samba at lists.samba.org>
Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration

Thanks everyone who replied to this thread.
I will try the new settings ASAP!

Thanks once again!

Fabricio.


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Saturday, June 23, 2018 8:13 AM
To: samba at lists.samba.org
Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration

On Fri, 22 Jun 2018 19:25:11 -0300
Kontrol-Suporte via samba <samba at lists.samba.org> wrote:

> Hello Everyone,
> 
> Good evening!
> 
>  
> 
> Here a Background:
> 
> I am moving from samba47 to samba48 - I am keeping my existing scripts 
> and config files.
> 
> The messages below are now appearing while executing some tasks in
> samba48 only - samba47 is not showing it:
> 
>  
> 
> #Unknown parameter encountered: "use spnego"
> 
> #Ignoring unknown parameter "use spnego"
> 
> #Unknown parameter encountered: "use spnego"
> 
> #Ignoring unknown parameter "use spnego"
> 
>  
> 
> Question:  is the "use spnego" deprecated for samba48? If so, what is 
> replacing it?
> 
>  
> 
> Here my smb4.conf file:
> 
> ###############################
> 
>  
> 
> [global]
> 
> workgroup = MYDOMAIN
> 
> map to guest = never
> 
> logon path = \\%L\profiles\.msprofile
> 
> logon home = \\%L\%U\.9xprofile
> 
> logon drive = P:
> 
> usershare allow guests = no
> 
> client NTLMv2 auth = yes
> 
> client lanman auth = no
> 
> client plaintext auth = no
> 
> use spnego = yes
> 
> client use spnego = yes
> 
> min protocol = LANMAN2
> 
> idmap gid = 10000-20000
> 
> idmap uid = 10000-20000
> 
> realm  = MYDOMAIN.CORP
> 
> security = ads
> 
> template homedir = /home/%D/%U
> 
> template shell = /bin/bash
> 
> winbind offline logon = yes
> 
> winbind refresh tickets = yes
> 
> winbind enum users = yes
> 
> winbind enum groups = yes
> 
> winbind nested groups = yes
> 
> winbind use default domain = yes
> 
> encrypt passwords = yes
> 
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> 
> log level = 3 passdb:5 winbind:3
> 
> usershare allow guests = no
> 
> printcap name = /dev/null
> 
> load printers = no
> 
> printing = bsd
> 
> local master = no
> 
> kerberos method = secrets and keytab
> 
> winbind refresh tickets = yes
> 
>  
> 
>  
> 
> [homes]
> 
> comment = Home Directories
> 
> valid users = %s, %D%W%S
> 
> browseable = no
> 
> read only = no
> 
> inherit acls = yes
> 
>  
> 
> ###############################
> 
> Thanks Much!
> 
>  
> 
> Fabricio.
> 

OK, you multiple default lines in your smb.conf, these are:

map to guest = never
usershare allow guests = no
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
client use spnego = yes
template homedir = /home/%D/%U
winbind nested groups = yes
encrypt passwords = yes
usershare allow guests = no

You might as well remove them.

The following lines are not much use in a Unix domain member smb.conf, they don't work with AD:

logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:

So you might as well remove them as well,

These two lines slow things down and are not actually needed:

winbind enum users = yes
winbind enum groups = yes

You might as well remove them as well.

'use spnego' was remove at 4.8.0, so you must remove this line

You should also remove the 'socket options' line, you should let your kernal sort this for you.

Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf:

[global]
    workgroup = MYDOMAIN
    realm  = MYDOMAIN.CORP
    security = ads

    min protocol = LANMAN2 # Do really need this ?

    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config MYDOMAIN : backend = rid
    idmap config MYDOMAIN : range = 10000-20000
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes
    winbind use default domain = yes 
    log level = 3 passdb:5 winbind:3
    printcap name = /dev/null
    load printers = no
    printing = bsd
    local master = no
    kerberos method = secrets and keytab

[homes]
    comment = Home Directories
    valid users = %s, %D%W%S
    browseable = no
    read only = no
    inherit acls = yes

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list